[keycloak-dev] Blacklist Password Policy
Thomas Darimont
thomas.darimont at googlemail.com
Thu Aug 3 06:28:19 EDT 2017
Hello,
great that's just what I built :) here is the PR:
https://github.com/keycloak/keycloak/pull/4370
I'm not sure about the error handling if a configured password list cannot
be found on the filesystem.
https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f156edbd2c282fec8d92R78
Looking forward to your feedback :)
Cheers,
Thomas
2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
> +1 for filesystem.
>
> Marek
>
>
> On 29/07/17 10:06, Thomas Darimont wrote:
>
>> Okay cool.
>>
>> Instead of storing the password blacklist in the database I could instead
>> just refer to a password
>> blacklist that lives on the file system.
>>
>> So Keycloak could ship with some of the lists from [0] and refer to those
>> with a name like "default-blacklist1000", "default-blacklist-100000"
>> in the BlacklistPasswordPolicy
>> config
>> within the admin-console.
>>
>> The "default-blacklist-100000" blacklist would then be mapped and resolve
>> to
>> something like
>> "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
>>
>> Users could provide their own blacklists with the provider config stored
>> in
>> standalone.xml
>> than could then be adjusted via jboss-cli.
>>
>> I think this filesystem based approach is better than having to load and
>> store big text-blobs in the database.
>>
>> Cheers,
>> Thomas
>>
>> [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords
>> Using those password lists seems to be allowed according to their license:
>> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project
>> which is Creative Commons Attribution ShareAlike 3.0 License
>> -> IANAL but it seems to be useable in commercial products as well
>> https://creativecommons.org/licenses/by-sa/3.0/
>> as long as the authors are mentioned.
>>
>>
>> 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com>:
>>
>> Yah, that sounds cool.
>>>
>>>
>>> On 7/28/17 11:48 AM, Thomas Darimont wrote:
>>>
>>>> Hello,
>>>>
>>>> I build a configurable Password Policy that allows to match a given
>>>> password against
>>>> a blacklist with easy to guess passwords that should be not allowed as
>>>>
>>> user
>>>
>>>> passwords.
>>>>
>>>> The 'BlacklistPasswordPolicyProvider' can be configured via the admin
>>>> UI
>>>> with a ";" delimited list of easy to guess passwords.
>>>>
>>>> If the user / or admin want's to change the password it is checked
>>>>
>>> against
>>>
>>>> the blacklist.
>>>> A password list can be found here:
>>>> https://github.com/danielmiessler/SecLists/tree/master/Passwords
>>>>
>>>> A blacklist is of course not a perfect solution but could still be
>>>> useful
>>>> for some users.
>>>>
>>>> Password blacklist would be compiled to a trie at startup (and on
>>>> changes
>>>> of the blacklist)
>>>> for efficient lookups.
>>>>
>>>> WDYT?
>>>>
>>>> Cheers,
>>>> Thomas
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
More information about the keycloak-dev
mailing list